Ransomware Attack Response Checklist


Ransomware Attack Response Checklist

According to a recent Statista report, there were about 304 million ransomware attacks around the world in 2020, representing a 62% increase over the last year. In light of some recent ransomware attacks worldwide and in Australia, such as the Kaseya attack, you have to make sure that your organization or company is prepared.

You may know that ransomware attacks tend to block access to computer systems and networks by encrypting data files and then demanding payment or ransom for the decryption keys. These attacks can also range from minor annoyances to severe attacks.

If the attack on Kaseya shows anything, it is that ransomware and malicious actors are not going anywhere. Perpetrated by REvil, the ransomware attack impacted more than 1,500 businesses and companies worldwide.

And that is not all; 75% of organizations and businesses are projected to experience one or multiple ransomware attacks by the end of 2025, a seven-times increase over 2020, which is concerning.

What is Ransomware?

We can define ransomware as a type of malware that encrypts a victim’s data files and folders. The attacker or perpetrator then demands a ransom from the victim in order to restore data access upon payment. Ransomware attacks in Australia exploit open security vulnerabilities. It is done by infecting a network or PC with a phishing attack or even malicious websites. Did you know that some ransom variants have added additional functionality, including data theft, in order to provide further incentive for a ransomware victim to pay the ransom?

A survey found that more than one-third of international organizations or businesses have experienced a ransomware attack or data breach in the last 12 months. Also, extortion demands have skyrocketed—note that the average demand in 2021 was 518% more than it was in 2020.

Ransomware Attack Response Checklist

With this type of threat landscape in Australia and internationally, a single ounce of prevention is worth a pound of cure. As a result, there is no reason to leave your company systems and networks exposed or vulnerable to ransomware attacks when you can easily take steps to prevent them.  

The key to successfully and effectively managing and responding to incidents is a comprehensive, in-depth, and well-rehearsed incident response program. Our ransomware attack response checklist will offer an outline of the crucial steps required to help your company or business prepare for a ransomware attack or data breach, including preparation, investigation, analysis, and mitigation.

Isolate Your Computer Systems to Stop the Spread

You should isolate the infected computer system as soon as possible from the network it is connected to so you can stop the spread. To avoid spreading, it is vital to disconnect the infected devices from any network and then turn off any wireless capabilities, like Bluetooth or Wi-Fi. However, you should refrain from erasing anything or cleaning up files. You should also unplug any storage devices, including USB and any external hard drives, especially if the incident scope is confirmed to be narrow.

Identify the Ransomware Strain or Variant

There is no doubt that knowing your adversary or foe is a critical step in developing an effective and robust response plan. Your security team must invest time in correctly identifying the ransomware strain, such as Ryuk or Dharma.

As ransomware often identifies itself, understanding which strain or variant it is will help you determine how you can remove it. Depending on the strain, some decryption tools can decrypt your ransomed devices, files, and folders. You can also consult a security professional in order to determine the ransomware strain or version.

Identify the Initial Access Point

It is vital to check the properties of encrypted files. This will help identify the “patient zero,” also known as the first infected system or initial access point. Disabling network devices is usually the best course of action. Determining this initial access point will help you identify and bridge the hole in your security. It is worth noting that common initial access vectors include phishing and the unauthorized and unlawful use of credentials.

Identify All Infected Accounts and Systems

Keep in mind that a ransomware response plan should include an in-depth forensic analysis and answer several crucial questions, such as:

  • How did the ransomware attack happen?
  • Which systems or files have been compromised?
  • What sensitive data has been exposed?

You should also identify any active malware and persistent leftovers on your systems that may still communicate to the C2 (command-and-control) server. Some of the common persistence techniques are using run registry keys. It is almost impossible to recover from ransomware attacks until you know and understand how the attack happened and which computer systems in your company were impacted.

Determine if Data has been Copied or Leaked

In many cases, ransomware attacks not just encrypt your files and folders but also exfiltrate or leak your data, which is a cause for concern. They do this in order to increase the likelihood of ransom payment by posting or threatening to post proprietary information and embarrassing data online, and you don’t want that. It is best to look for signs and symptoms of data exfiltration, like large data transfers.

Locate Your Data Backups and Determine their Integrity

You should remember that a ransomware attack is dangerous and will try to delete your online data backups. This is done to lower the likelihood of data backup and recovery. This is why you should ensure that your backup technology wasn’t impacted by the incident and it is still operational. Remember that you may have backups containing malicious payloads. So, scan your backups in order to determine their integrity. 

Implement an Automated Backup Solution

Ensure that all possible data that requires access is backed up, including USB and mobile storage. You should also regularly test the recovery function of your data backup and restoration processes. It is best first to restore all backups to a sandboxed environment so that you can examine the backups.

Sanitize Your Systems or Develop New Builds

If you can confidently identify all the active malware as well as incidents of persistence in your company systems, you can save some time and resources by not rebuilding. On the other hand, it may be simpler and safer to create new and clean systems. When sanitizing or rebuilding your network, it is vital to ensure all the appropriate security controls and protocols are used.

Report the Incident

While you should educate your employees about the attack, it is also essential to report the incident to federal and local authorities, depending on where you’re located. This will help them gain a better understanding of ransomware as well as its impact on victims. Keep in mind that if the ransomware attack is severe and your company or business operations span multiple geographical regions, you may be obligated to contact national law enforcement services rather than a local law enforcement agency. 

Paying the Ransom?

It may seem that paying the ransom is your only choice. However, note that many victims do not receive their confidential data post-payment. This is one of the reasons paying a ransom is often the worst course of action. Also, keep in mind that besides being illegal in many localities and regions, paying the ransom also helps fund future ransomware attacks.

Perform a Post-Incident Review to Prevent Future Attacks

What happens after a standard ransomware attack? Note that understanding what happened is one of the best ways to prevent future incidents. You should review your incident response in order to understand what went right. You should also document opportunities and areas for improvement. Enhance and improve the plan and update security policies if needed.

Also, if the ransomware was caused by a malicious email, you should increase employee security awareness. Finally, you should also implement a robust business continuity plan. Although business continuity planning can’t prevent ransomware from attacking your system, it can prevent it from doing serious damage.

Final Thoughts

Ransomware is one of the serious business risks for any organization. And no company or business is safe. As a result, even if you think or believe that your small organization is immune, you should think again. To protect your business, it is essential to design, test, and implement a ransomware response plan and update it frequently. With a robust plan in place, you will be in a better position to respond effectively and quickly whenever ransomware strikes.

Share it on social networks

You may also like...

Leave a Comment

Your email address will not be published. Required fields are marked *

Get In Touch

Have a question?

Are you 100% sure that your backup is safe from the latest ransomware attacks?

Video Guide